I bypass a Nginx exact-match rule via PHP-FPM path confusion to expose phpinfo(), then inject a base64-encoded XSS payload using a form feed character as whitespace to exfiltrate the flag.
